Placing and reading tracking cookies again ruled unlawful

On February 12, 2025, the Interim Injunction Judge of the District Court of Amsterdam, following Court of Appeal Amsterdam December 5, 2023 and District Court Amsterdam June 7, 2024, found the placement of tracking cookies to be unlawful.

In the process, Microsoft and Xandr were ordered to cease and desist from these violations of the Telecommunications Act and the General Data Protection Regulation (AVG).

Tracking cookies may be placed, provided prior consent is obtained from the data subject. But in this case that was not the case, technical investigations revealed that even in cases where that approval had been denied, those tracking cookies had been placed and read anyway.

It was also notable that the Provisional Court considered that it had been shown that Microsoft and Xandr indicated that they would not change their behavior either. Both companies were also ordered to pay a penalty on the injunction to still comply with the ruling.

Defenses

Both defendants were not Dutch defendants, but because of the plaintiffs’ residence in the Netherlands and the fact that the damage was done in the Netherlands, the Provisional Court nevertheless found jurisdiction.

Another defense raised by the defendants was the lack of an urgent interest. The Interim Injunction Judge did not go along with this, as this was an infringement of the plaintiffs’ fundamental rights. Such an infringement must end as soon as possible.

Both defendants also raised the defense that they were not to blame, after all, it is the website operators who place the cookies. The Interim Injunction Judge considered that the fact that the website operators do this did not exonerate both defendants.

What was important in this case was that even after the website operators placed the cookies, the defendants could still decide not to read the cookies because the required consent was lacking. It is then all the worse that that missing consent does not lead to the inference that the cookies cannot be used, but simply are used and personal data is processed.

Notable point

What was further notable was that both tech companies indicated that it is indeed possible to obtain prior consent, which allows one to act within the boundaries of the Telecommunications Act and the AVG.

Since Dutch judges have made similar rulings before, it is important to see if the Tech giants take this seriously. Will they actually seek prior prior consent and act on the lack thereof, or will they take the penalty payments at face value, as they will have virtually no impact on their business results.

Contact

Do you have any questions regarding this article or other questions regarding IT and ICT law or Privacy law? Please contact one of our  attorneys by email, phone or fill out the contact form for a free initial consultation.  We are happy to think along with you.